Once we power on a UEFI-capable computer, the code execution starts, and configures the processor and other hardware and gets ready to boot the operating system. As of this date, UEFI has been used with 32/64 bit ARM, AMD and Intel chips and for each of these platforms, there had to be a specific compilation of the boot code for the target platform. UEFI offers support for older extensions like ACPI, which makes it backward compatible with components that are not dependent on a 16-bit runtime environment. Once a system gets powered on, the firmware checks the signature of the firmware code that exists on hardware components like hard disks, graphic cards and network interface cards.
Next Option ROMs work by preparing and configuring the hardware peripherals for handoff with the operating system. It is during this process that the firmware checks for embedded signatures inside the firmware module against a database of signatures already in the firmware. If a match is found, that particular hardware module is allowed to execute. Hence, it works on a checklist of matching the integrity of signatures from the firmware database and denies further action if a particular component signature is found in the Disallowed list, which means that it may be infected with malware.
The main database is actually segmented into an Allowed and a Disallowed list. The Allowed list contains the trusted firmware modules while the Disallowed list contains hashes of malware-infected firmware and their execution is blocked to maintain the integrity and security of the system.
The original equipment manufacturer installs a unique signature and keys during the manufacturing process for the secure booting process. This trust relationship is built on a digital certificate exchange commonly known as Public Key Infrastructure (PKI). PKI is the core infrastructure of the secure boot feature in UEFI. The Public Key Infrastructure is a set of hardware and software policies used to create, manage and distribute digital certificates with the help of a Certificate Authority (CA).
The Secure Boot feature requires the firmware to have UEFI version 2.3.1 or higher. The secure booting feature mainly addresses rootkits and malware that may target system vulnerabilities even before the operating system loads. This feature even protects systems from bootloader attacks and firmware compromises. A cryptographic key exchange takes place at boot time to keep a check whether the operating system trying to boot is a genuine one and not compromised by malware or rootkits.
A while ago there was a dispute between Microsoft and the Free Software Foundation in which the latter accused the former of trying to use the secure boot feature of UEFI to prevent the installation of other operating systems such as different Linux versions by requiring the computers certified with Windows 8 getting shipped with secure boot enabled through a Microsoft private key. Microsoft controls the key signing authority and anyone who wanted to boot an operating system on the hardware certified for Microsoft Windows would have to buy Microsoft's private key at a lucrative price. The computer hardware would itself have a copy of Microsoft's public key and would use it to verify the integrity of the private key and check whether it is originally from Microsoft.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.